Comcast’s Impressive System for Notifying Infected Users

Posted by J.D. FalkMarch 1, 2011

Pretty much as long as there’ve been computers, one of the biggest challenges has been user education. How do you create software smart enough to inform a user when they’re about to do something potentially disastrous — or, worse, when something disastrous has been done to them?

As one of the world’s largest access providers, our partner Comcast has put a ton of thought into developing a notification system for their users. Their motivation is clear, and close to the heart of anyone working in security for end user systems: “to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.”

The solution Comcast developed involves, in effect, hijacking HTTP requests — in other words, interrupting web browsing — on the theory that users who don’t know that they’re infected (or even those who do) will continue accessing web pages.

Perhaps unfortunately, while they were doing this Comcast also came under intense scrutiny in the U.S. over network neutrality issues (a topic which seems no closer to resolution today), while other access providers were slammed for monitoring users’ traffic and inserting extra ads into their browsing experiences (an idea that just won’t die.) Reading the design document for Comcast’s system, which was published by the IETF last week as RFC 6108, it’s clear that Comcast took all of these concerns into account. Many are even called out as negatives directly in the requirements section:

“The system should not significantly alter the content of the HTTP response from any website the user is accessing.”

“Maintaining the privacy of users is important. As such, content flowing through or incidentally observed by the system must not be cached.”

“The system must not be used to replace any advertising provided by a website, or to insert advertising into websites. This therefore includes cases where a web page already has space for advertising, as well as cases where a web page does not have any advertising. This is a critical area of concern for end users, privacy advocates, and other members of the Internet community. Therefore, it must be made abundantly clear that this system will not be used for such purposes.”

And while it wasn’t listed as a requirement, it appears from the design document that most users’ web traffic will never be intercepted by this system — a relief for users concerned about privacy. Instead, the system is only applied to users whom Comcast feels need to be notified.

Though there are many vendors offering deep packet inspection appliances intended for enterprise networks, and some of those include interruptive notification features, Comcast designed this system to use commonly available open source software and open standards — specifically the Internet Content Adaptation Protocol (ICAP, RFC 3507) implemented by the venerable Squid cacheing proxy, GreasySpoon scripting framework, and Apache Tomcat.

It’s an impressive design, and I think it’s even more impressive that Comcast has chosen to be so open with it. Not only are they encouraging and inviting honest discussion of the entire concept of interrupting users’ internet traffic to provide much-needed notification and education, they’re also giving the rest of the world a big head start on how to do it right.